Skip to content
Snippets Groups Projects
Select Git revision
  • mr-324-test
  • feat/revoke-coderobe
  • master default protected
  • darnimator
  • lahwaacz-master
  • 20250123.1 protected
  • 20250123 protected
  • 20241203 protected
  • 20241015 protected
  • 20240709 protected
  • 20240609 protected
  • 20240520 protected
  • 20240429 protected
  • 20240427 protected
  • 20240313 protected
  • 20240208 protected
  • 20231222 protected
  • 20231207 protected
  • 20231130 protected
  • 20231113 protected
  • 20231107 protected
  • 20231026 protected
  • 20231017 protected
  • 20231012 protected
  • 20231011 protected
25 results
Compare
Name Last commit Last update
.gitlab
keyring
libkeyringctl
tests
wkd_sync
.editorconfig
.flake8
.gitignore
.gitlab-ci.yml
CONTRIBUTING.md
LICENSE
Makefile
README.md
keyringctl
pyproject.toml
README.md

archlinux-keyring

The archlinux-keyring project holds PGP packet material and tooling (keyringctl) to create the distribution keyring for Arch Linux. The keyring is used by pacman to establish the web of trust for the packagers of the distribution.

The PGP packets describing the main signing keys can be found below the keyring/main directory, while those of the packagers are located below the keyring/packager directory.

Requirements

The following packages need to be installed to be able to create a PGP keyring from the provided data structure and to install it:

Build:

  • make
  • findutils
  • pkgconf
  • systemd

Runtime:

  • python
  • sequoia-sq >= 0.31.0

Optional:

  • hopenpgp-tools (verify)
  • git (ci)

Usage

Build

Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory

./keyringctl build

Import

Import a new packager key by deriving the username from the filename.

./keyringctl import <username>.asc

Alternatively import a file or directory and override the username

./keyringctl import --name <username> <file_or_directory...>

Updates to existing keys will automatically derive the username from the known fingerprint.

./keyringctl import <file_or_directory...>

Main key imports support the same options plus a mandatory --main

./keyringctl import --main <username>.asc

Export

Export the whole keyring including main and packager to stdout

./keyringctl export

Limit to specific certs using an output file

./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>

List

List all certificates in the keyring

./keyringctl list

Only show a specific main key

./keyringctl list --main <username_or_fingerprint...>

Inspect

Inspect all certificates in the keyring

./keyringctl inspect

Only inspect a specific main key

./keyringctl inspect --main <username_or_fingerprint_or_directory...>

Verify

Verify certificates against modern expectations and assumptions

./keyringctl verify <username_or_fingerprint_or_directory...>

Installation

To install archlinux-keyring system-wide use the included Makefile:

make install

Contribute

Read our contributing guide to learn more about guidelines and how to provide fixes or improvements for the code base.

Releases

Releases of archlinux-keyring are exclusively created by keyring maintainers.

The tags are signed with one of the following legitimate keys:

Christian Hesse <eworm@archlinux.org>
02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE

David Runge <dvzrv@archlinux.org>
991F 6E3F 0765 CF62 9588  8586 139B 09DA 5BF0 D338

Johannes Löthberg <demize@archlinux.org>
5134 EF9E AF65 F95B 6BB1  608E 50FB 9B27 3A9D 0BB5

Leonidas Spyropoulos <artafinde@archlinux.org>
B4B7 5962 5D46 3343 0B74  8770 59E4 3E10 6B24 7368

Levente Polyak <anthraxx@archlinux.org>
E240 B57E 2C46 30BA 768E  2F26 FC1B 547C 8D81 72C8

Morten Linderud <foxboron@archlinux.org>
C100 3466 7663 4E80 C940  FB9E 9C02 FF41 9FEC BE16

To verify a tag, first import the relevant PGP keys:

gpg --auto-key-locate wkd --search-keys <email-from-above>

Afterwards a tag can be verified from a clone of this repository. Please note that one must check the used key of the signature against the legitimate keys listed above:

git verify-tag <tag>

License

Archlinux-keyring is licensed under the terms of the GPL-3.0-or-later (see LICENSE).